Across APAC, cybersecurity budgets are rising.Yet for many CIOs and CISOs, the harder conversation is no longer about why security matters, but whether the investment is actually delivering measurable value.Recent data from PwC shows that 84% of organisations in Asia Pacific increased their cybersecurity budgets in the past year.
On the surface, that suggests strong executive support.In practice, however, growing spend has brought sharper scrutiny from boards and chief financial officers (CFOs), not reassurance.The underlying tension is simple: more investment has not automatically translated into clearer outcomes, reduced incidents, or confidence at the board table.
Rising budgets, stubborn outcomes For security leaders, this disconnect is becoming increasingly difficult to ignore.According to another recent report for APAC, 91% of organisations experienced at least one cybersecurity incident in the past 12 months, and 53% suffered multiple incidents, despite sustained increases in security spending.At the same time, 45% of APAC CIOs admitted they had overinvested in tools they did not fully need or utilise.
This is not an indictment of security teams or strategy.It reflects the reality of an environment where threats are evolving quickly, tools are proliferating, and success is hard to define in simple terms.From a CISO perspective, the challenge is less about budget size and more about efficiency: how much risk exposure is actually being reduced for each dollar spent.
Why boards and CFOs remain unconvinced Boards and CFOs are not questioning the importance of cybersecurity.What they are questioning is its return on investment.Unlike traditional capital investments, cybersecurity outcomes are probabilistic.
Avoided breaches, faster detection times, and reduced blast radius rarely show up as clean line items on a balance sheet.Metrics commonly used by security teams — such as tool coverage or alert volumes — do not naturally translate into financial risk language.As a result, many CISOs find themselves reporting activity rather than impact.
When budgets increase, but incidents continue, it becomes harder to explain whether the organisation is becoming meaningfully more resilient or simply more complex.This gap between technical performance and business confidence is now a central issue in APAC cybersecurity strategy.Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.
Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers The APAC reality: same pressure, different contexts While the ROI challenge is consistent across the region, its shape varies by market.In Australia, regulatory pressure and board accountability have made cybersecurity spend far more visible at the executive level.CISOs are increasingly expected to demonstrate how investment aligns with risk reduction and operational resilience, not just compliance.
In Singapore, where security maturity is generally higher, the conversation has shifted toward efficiency and whether current security models are sustainable under ongoing cost and resource constraints.Boards want assurance that existing investments are being optimised, especially as cost discipline tightens across the business.In India, enterprise-scale cybersecurity adoption is accelerating rapidly.
As security becomes a material cost centre rather than a discretionary spend, senior leaders are asking earlier and more pointed questions about prioritisation and value.Across all three markets, the common thread is not underinvestment.It is the demand for clearer justification.
What this means for APAC CIOs and CISOs The cybersecurity conversation in APAC is maturing.The central question these days that CIOs and CISOs find themselves answering is now “Is this spend defensible, effective, and aligned to the risks the business actually faces?” This shift requires a different framing of security value.One that connects technical outcomes to business exposure, capacity, and resilience.
It also demands greater clarity on where investment is genuinely improving security posture, and where it may be adding cost without commensurate benefit.This is not about doing more.It is about being able to explain, with confidence, what the organisation is getting in return and why it matters now.
Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
